Sign up to receive free email alerts when patent applications with chosen keywords are publishedSIGN UP

Abstract:

A process for testing an integrated circuit includes collecting a set of
points of a physical property while the integrated circuit is executing a
multiplication, dividing the set of points into a plurality subsets of
lateral points, calculating an estimation of the value of the physical
property for each subset, and applying to the subset of lateral points a
step of horizontal transversal statistical processing by using the
estimations of the value of the physical property, to verify a hypothesis
about the variables manipulated by the integrated circuit.

Claims:

1. A process for testing an integrated circuit device, comprising: during
execution by the integrated circuit of a multiplication operation of two
binary words x and y, the multiplication operation including a plurality
of basic multiplication steps of components xi of the word x by
components yj of the word y, collecting a set of points of a physical
property representative of switching of binary data by the integrated
circuit; dividing the set of points of the physical property into a
plurality of subsets of lateral points, each subset corresponding to a
basic multiplication operation of a component xi of rank i of the word x
by a component yj of rank j of the word y; forming at least one general
hypothesis about a value of word x and/or a value of word y; for each
subset of lateral points, forming a particular hypothesis about a value
of a component xi and/or of a component yj linked to the general
hypothesis; for each subset of lateral points, calculating an estimation
of the value of the physical property that is a function of the
particular hypothesis, and attributing the estimation to the subset and
to the points of the subset; and applying to the subsets of lateral
points a step of horizontal transversal statistical processing using the
estimations of the value of the physical property associated therewith,
to determine whether the general hypothesis is correct.

2. The process according to claim 1, wherein the step of horizontal
transversal statistical processing comprises: forming horizontal
transversal subsets of points, each having points of the same rank
belonging to different subsets of lateral points, forming a set of
correlation coefficients by calculating, for each horizontal transversal
subset, a correlation coefficient between the points of subset and the
particular estimations of the value of the physical property associated
with each of the points of the subset, and determining whether the
general hypothesis is correct or not as a function of the profile of the
set of correlation coefficients.

3. The process according to claim 2, wherein determining whether the
general hypothesis is correct includes searching for at least one
correlation peak in the set of correlation coefficients.

4. The process according to claim 1, wherein the step of horizontal
transversal statistical processing comprises: classing the subsets of
lateral points in first and second groups as a function of the estimation
of the value of the physical property that is attributed thereto, by
allocating to the first group the subset of points having a high
estimation and to the second group a low estimation of the physical
property, calculating average values of points of the same rank of each
subset of the first group to obtain a first subset of average points,
calculating average values of points of the same rank of each subset of
points of the second group to obtain a second subset of average points,
forming a subset of differential points having differential points equal
to the difference between points of the same rank of the first and of the
second subsets of average points, and determining whether the general
hypothesis is correct or not as a function of the profile of the subset
of differential points.

5. The process according to claim 4, wherein determining whether the
general hypothesis is correct includes searching for one or more peaks of
the physical property in the subset of differential points.

6. The process according to claim 1, wherein calculating an estimation of
the value of the physical property for each subset of lateral points
includes calculating a Hamming weight of data that is a function of the
value of the component xi and/or of the component yj associated with the
subset of lateral points according to the particular hypothesis linked to
the general hypothesis.

7. The process according to claim 6, wherein the data function of the
value of the component xi and/or yj is equal to one of the following
values: xi, yj, xi*yj, α*xi+β*yj, α and β being
weighting coefficients.

8. The process according to claim 1, wherein the physical property is one
of a current consumption of the integrated circuit, a magnetic field
absorption, and an electromagnetic radiation of the integrated circuit,
or a combination thereof.

9. The process according to claim 1, further comprising rejecting the
integrated circuit if the statistical processing step verifies that the
general hypothesis is correct.

10. A process applied to an integrated circuit having a processing
function of external data, the execution of which includes conditional
branching to at least a first step of multiplication of binary words x, y
or a second step of multiplication of the binary words x, y, the
conditional branching being a function of a private data of the
integrated circuit, and a multiplication function configured to execute
the multiplication steps designated by the conditional branching in a
plurality of basic multiplication steps of components xi by components yj
of the words x, y to multiply, the process further comprising: addressing
the external data to the integrated circuit; activating, in the
integrated circuit, the processing function of the external data;
collecting a set of points of a physical property representative of
switching of binary data by the integrated circuit during the execution
by the integrated circuit of a multiplication that is the function of the
conditional branching; forming at least one general hypothesis about the
value of the private data and the value of binary words x, y subject to
multiplication, in relation with the value of the private data; dividing
the set of points into a plurality of subsets of lateral points, each
subset corresponding to a basic multiplication operation of a component
xi of rank i of word x by a component yj of rank j of word y; for each
subset of lateral points, forming a particular hypothesis about a value
of a component xi and/or of a component yj linked to the general
hypothesis; for each subset of lateral points, calculating an estimation
of the value of the physical property that is a function of the
particular hypothesis, and attributing this estimation to the subset and
to the points of the subset; and applying, to the subsets of lateral
points, a step of horizontal transversal statistical processing by using
the estimations of the value of the physical property associated
therewith, to determine whether the general hypothesis about the value of
the private data is correct.

11. The process according to claim 10, including rejecting the integrated
circuit as unable to conserve the secret data if the statistical
processing step verifies that the general hypothesis is correct.

12. The process according to claim 10, applied to an integrated circuit
wherein the data processing function is a modular exponentiation
function, the private data being an exponent of the modular
exponentiation function.

13. The process according to claim 10, applied to an integrated circuit
wherein the data processing function is a cryptographic function
including a modular exponentiation function, the private data being an
exponent of the modular exponentiation function forming a private key of
the cryptographic function.

14. A system for testing an integrated circuit, comprising: an execution
component configured to make the integrated circuit execute a
multiplication operation of two binary words x and y, the multiplication
operation including a plurality of basic multiplication steps of
components xi of the word x by components yj of the word y; a measuring
component configured to measure and collect, during the execution of the
multiplication operation, a set of points of a physical property
representative of the switching of binary data by the integrated circuit;
and a data processing component, configured to: divide the set of points
of the physical property into a plurality of subsets of lateral points,
each subset corresponding to a basic multiplication operation of a
component xi of rank i of the word x by a component yj of rank j of the
word y, forming at least one general hypothesis about a value of word x
and/or a value of word y, for each subset of lateral points, forming at
least one particular hypothesis about a value of a component xi and/or of
a component yj linked to the general hypothesis, for each subset of
lateral points, calculating an estimation of the value of the physical
property that is a function of the particular hypothesis, and attributing
this estimation to the subset of lateral points and to the points of the
subset, and applying, to the subset of lateral points, a step of
horizontal transversal statistical processing by using the estimations of
the value of the physical property that are attributed to the lateral
points, to determine whether the general hypothesis is correct.

15. The system according to claim 14, wherein the system is configured to
reject the integrated circuit if the statistical processing step verifies
that the general hypothesis is correct.

16. The system according to claim 14, wherein the measuring component is
configured to measure one of a current consumption of the integrated
circuit, a magnetic field absorption, and an electromagnetic radiation of
the integrated circuit, or a combination thereof.

Description:

BACKGROUND OF THE INVENTION

[0001] Embodiments of the present invention relate to an integrated
circuit including a multiplication function configured to execute a
multiplication operation of two binary words x and y in a plurality of
steps of basic multiplication of components xi of word x by
components yj of word y.

[0002] Embodiments of the present invention relate in particular to an
integrated circuit including an external data processing function, the
execution of which includes at least conditional branching to at least a
first multiplication step of binary words or a second multiplication step
of binary words. The conditional branching is a function of a private
data of the integrated circuit.

[0003] Embodiments of the present invention relate in particular to a
process and system for testing of such an integrated circuit.

[0004] Embodiments of the present invention also relate to a process for
protecting an integrated circuit of the above-mentioned type against a
side channel analysis, and to a countermeasure allowing such an
integrated circuit to pass a qualification or certification process
including a test process according to embodiments of the invention.

[0005] Currently, secured processors that are more and more advanced may
be found in chip cards or other embedded systems such as USB keys (flash
drives), decoders and game consoles, and in a general manner, any Trusted
Platform Module TPM. These processors, in the form of integrated
circuits, generally have Complex Instruction Set Computer (CISC) 8-bit
cores or Reduced Instruction Set Computer (RISC) cores of 8, 16, or more
bits, 32-bit processors being the most widespread at this time. Some
integrated circuits also include coprocessors dedicated to some
cryptographic calculations, notably arithmetic accelerators for
asymmetric algorithms such as Rivest, Shamir and Adleman (RSA), Digital
Signature Algorithm (DSA), Elliptic Curve Digital Signature Algorithm
(ECDSA), or the like.

[0006] FIG. 1 shows, as an example, a secure integrated circuit CIC1
arranged on a portable support Handheld Device (HD), for example, a
plastic card or any other support. The integrated circuit includes a
microprocessor MPC, an input/output circuit IOC or interface
communication circuit, memories M1, M2, M3 linked to the microprocessor
by a data and address bus and, optionally, a coprocessor CP1 for
cryptographic calculations or arithmetic accelerator, and a random number
generator RGEN. Memory M1 is a memory of the Random Access Memory (RAM)
type containing volatile application data. Memory M2 is a non-volatile
memory, for example an EEPROM or Flash memory, containing application
programs. Memory M3 is a Read Only Memory (ROM) containing the operating
system of the microprocessor.

[0007] The interface communication circuit IOC can be of the contact type,
for example, according to the ISO/IEC 7816 standard, of the contactless
type with inductive coupling, for example, according to the ISO/IEC
14443A/B or ISO/IEC 13693 standards, of the contactless type functioning
by electric coupling (UHF interface circuit), or both of the contact and
contactless type (integrated circuit called "combi"). The interface
circuit IOC shown as an example in FIG. 1 is an inductive coupling
contactless interface circuit equipped with an antenna coil AC1 to
receive a magnetic field FLD. The field FLD is emitted by a card reader
RD that is itself equipped with an antenna coil AC2. Circuit IOC includes
apparatus for receiving and decoding data DTr emitted by the reader RD
and apparatus for coding and emitting data DTx supplied by the
microprocessor MPC. It may also include apparatus for extracting from the
magnetic field FLD a supply voltage Vcc and a clock signal CK of the
integrated circuit.

[0008] In some embodiments, the integrated circuit CIC1 may be configured
to execute encryption, decryption, or signature operations of messages m
that are sent to it, by way of a cryptographic function based on the
modular exponentiation using a secret key d and a cryptographic module n,
for example a cryptographic RSA function.

[0009] Overview Concerning Modular Exponentiation

[0010] The modular exponentiation function has the following mathematical
expression:

md modulo(n)

m being an input data, d an exponent, and n a divisor. The modular
exponentiation function therefore consists of calculating the remainder
on the division of m to the power d by n.

[0011] Such a function is used by various cryptographic algorithms, such
as the RSA algorithm, the DSA algorithm, Elliptic Curve Diffie Hellman
(ECDH), ECDSA, ElGamal, or the like. The data m is then a message to
encrypt and the exponent d is a private key.

[0012] Such a function may be implemented using the following algorithm
(modular exponentiation according to the Barrett method):

wherein the message m and the module n are integers (for example of 1024
bits, 2048 bits, or more), d is the exponent of v bits expressed in base
2 (dv-1, dv-2, . . . d0), "LIM" is the multiplication
function of large integers ("Long Integer Multiplication") and "BRED" is
a reduction function according to the Barrett method ("Barrett
REDuction") applied to the result of the LIM multiplication.

[0013] In an integrated circuit such as that shown in FIG. 1, such a
modular exponentiation algorithm may be executed by the microprocessor MP
or by the coprocessor CP1. Alternatively, some steps of the algorithm can
be executed by the microprocessor whereas others are executed by the
coprocessor, if it is merely an arithmetic accelerator. For example, the
microprocessor may confide the LIM multiplications of steps 3A and 3B to
the coprocessor, or else the entire calculation may be confided to the
coprocessor, depending on the case.

[0014] In addition, the LIM multiplication of a by a (Step 3A) or of a by
m (Step 3B) is generally executed by the integrated circuit by means of a
multiplication function of binary words x and y. This multiplication
includes a plurality of steps of basic multiplication of components
xi (ai) of word x by components yj (aj or mj) of
word y (i and j being iteration variables), to obtain intermediate
results that are concatenated to form the general result of the
multiplication.

[0015] Overview of Side Channel Analysis

[0016] In order to verify the level of security offered by a secure
integrated circuit to be commercialized, qualification or certification
tests are performed at the industrial level. In particular, tests are
performed to assess the robustness of the integrated circuit to side
channel analyses aiming to discover the secret data of the integrated
circuit.

[0017] The exponentiation algorithm is therefore subjected to such
controls. More particularly, the side channel analysis of the modular
exponentiation algorithm consists of deducing bit-by-bit the value of the
exponent, by observing the "behavior" of the integrated circuit during
the execution of step 3 of the algorithm, at each iteration of rank s of
this step. This observation aims to determine whether the considered step
3 includes step 3A only or includes step 3A followed by step 3B.

[0018] In the first case, it can be deduced that the bit dv-s of the
exponent is equal to 0. In the second case, it can be deduced that the
bit dv-s is equal to 1. By proceeding step-by-step for each
iteration of s=1 to s=v, all the bits dv-s of the exponent for s
from 1 to v-1 can be inferred. For example, during the first iterations
of the exponentiation algorithm, the result of operations:

LIM(a,a), LIM(a,m)

reveals that the first bit of the exponent is 1, whereas the result of
operations:

LIM(a,a) LIM(a,a)

allows for the discovery that the first bit of the exponent is 0.

[0019] To discover the next exponent bit, the nature of the following
operations must be determined. For example, if these operations are:

LIM(a,a) LIM(a,m) LIM(a,a) LIM(a,m)

or:

LIM(a,a) LIM(a,a) LIM(a,m)

the two last operations LIM(a,a) LIM(a,m) reveal that the second bit of
the exponent is 1. Inversely, after the following operations:

LIM(a,a) LIM(a,m) LIM(a,a) LIM(a,a)

LIM(a,a) LIM(a,m) LIM(a,a) LIM(a,a)

the third operation LIM (a,a) reveals that the second bit of the exponent
is 0 because it is followed by LIM (a,a) and is not followed by LIM
(a,m).

[0020] Thus, in order to determine the exponent bits, it is necessary to
resolve any uncertainties as to the conditional branching steps performed
by the integrated circuit as a function of these bits. The observation of
the current consumption of the integrated circuit allows, in general, to
clear up these uncertainties.

[0021] Overview of Side Channel Analysis Based on the Observation of the
Current Consumption

[0022] An electronic component generally includes thousands of logic gates
that switch differently depending on the operations executed. The
switching of the gates creates measurable current consumption variations
of very short duration, for example of several nanoseconds. Notably,
integrated circuits obtained by CMOS technology include logic gates
constituted of pull-up PMOS transistors and of pull down NMOS transistors
having a very high input impedance on their control gate terminal. These
transistors do not consume current between their drain and source
terminals except during their switching, corresponding to the switching
to 1 or to 0 of a logic node. Thus, the current consumption depends on
data manipulated by the microprocessor and on the various peripherals:
memory, data circulating on the data or address bus, the cryptographic
accelerator, and the like.

[0023] In particular, the multiplication operation of large integers LIM
has a current consumption signature that is characteristic and is
different than ordinary logic operations. Moreover, LIM(a,a) differs from
LIM(a,m) in that it consists of calculating a square (a2) whereas
LIM(a,m) consists of calculating the product of a by m, which may lead to
two different current consumption signatures.

[0024] Conventional side channel test processes, based on the observation
of the current consumption, use Single Power Analysis (SPA), Differential
Power Analysis (DPA), Correlation Power Analysis (CPA), or Big Mac
Analysis.

[0025] SPA-Based Test Processes

[0026] SPA was disclosed in P. C. Kocher., Timing attacks on
implementations of Diffie-Heliman, RSA, DSS, and other systems., Advances
in Cryptology--CRYPTO '96, volume 1109 of Lecture Notes in Computer
Science, pages 104-113., Springer 1996. SPA normally only requires the
acquisition of a single current consumption curve. It aims to obtain
information about the activity of the integrated circuit by observing the
part of the consumption curve corresponding to a cryptographic
calculation, because the current curve varies according to the operations
executed and the data manipulated.

[0027] First of all, SPA allows for the identification of the calculations
performed and the algorithms implemented by the integrated circuit. A
test system captures a general current consumption curve of the
integrated circuit by measuring its current consumption. In the case of
an integrated circuit executing a modular exponentiation, consumption
curves corresponding to the execution of LIM(a,a) and LIM(a,m) upon each
iteration of rank s of the algorithm can be distinguished within this
general current consumption curve, as shown in FIG. 2. In this
consumption curve, curves C0, C1, C3, . . . Cs' . . .
can be distinguished.

[0028] Each consumption curve Cs' consists of consumption points
measured with a determined sampling frequency. Each consumption curve
corresponds to an "sth" iteration of step 3 of the exponentiation
algorithm. The relation between the rank s' of each consumption curve
Cs' and the number of times "s" that step 3 of the exponentiation
algorithm has already been executed (including the execution
corresponding to the curve Cs' in question) is given by the
relation:

s'=s+H(dv-1, dv-2 . . . dv-s-1)

if the curve Cs' corresponds to the execution of step 3A, or by the
relation:

s'=s+H(dv-1, dv-2 . . . dv-s-1)+1

if the curve Cs' corresponds to the execution of step 3B.

[0029] The relation between s' and s is therefore a function of the
Hamming weight H(dv-1, dv-2 . . . dv-s-1) of the part of
the exponent d already used during the preceding steps of the
exponentiation calculation. As the Hamming weight represents the number
of bits at 1 of the part of the exponent considered, s' is for example
equal to s or to s+1 if the already used bits dv-1, dv-2 . . .
dv-s-1 of the exponent are all equal to zero. As another example, s'
is equal to 2s or to 2s+1 if the bits dv-1, dv-2 . . .
dv-s-1 are all equal to 1.

[0030] An "ideal" SPA-based test process should allow for the
determination of whether each curve Cs' is relative to the
calculation of LIM (a,a) or of LIM (a,m), merely by the observation of
the form of these curves. This may allow for the deduction, according to
the deductive method described above, of exponent bit value. However, to
prevent such a leak of information ("leakage"), latest-generation secured
integrated circuits are equipped with countermeasures that blur their
current consumption.

[0031] Thus, SPA-based test processes generally allow for the
identification of the calculations performed and the algorithms
implemented by an integrated circuit, and for the marking, on the general
consumption curve of the integrated circuit, of the portion of the curve
relative to the modular exponentiation calculation. However, they do not
allow for the verification of hypotheses about the exact operation
executed by the integrated circuit.

[0032] Processes based on statistical analysis techniques, such as DPA or
CPA, were thus developed to identify the nature of operations during
which the exponent is manipulated.

[0033] DPA-Based Test Processes

[0034] Disclosed by P. C. Kocher, J. Jaffe, and B. Jun., Differential
Power Analysis. Advances in Cryptology--CRYPTO '99, volume 1666 of
Lecture Notes in Computer Science, pages 388-397., Springer, 1999., and
very closely studied since, DPA allows the secret key of a cryptographic
algorithm to be found thanks to the acquisition of numerous consumption
curves. The application of this technique the most researched until now
concerns the DES algorithm, but this technique also applies to other
algorithms of encryption, decryption, or signature, and in particular to
modular exponentiation.

[0035] DPA consists of a statistical classification of the current
consumption curves to find the searched-for information. It is based on
the premise that the consumption of a CMOS technology integrated circuit
varies when a bit switches from 0 to 1 in a register or on a bus, and
does not vary when a bit remains at 0, remains at 1, or switches from 1
to 0 (parasitic capacitance discharge of the MOS transistor).
Alternatively, it may be considered that the consumption of a CMOS
technology integrated circuit varies when a bit switches from 0 to 1 or
switches from 1 to 0 and does not vary when a bit remains equal to 0 or
remains equal to 1. This second hypothesis allows conventional functions
"Hamming distance" or "Hamming weight" to be used to develop a
consumption model that does not require the knowledge of the structure of
the integrated circuit in order to be applicable.

[0036] DPA aims to amplify this consumption difference thanks to a
statistical processing based upon numerous consumption curves, aiming to
bring out a correlation between the measured consumption curves and the
formulated hypotheses.

[0037] During the acquisition phase of these consumption curves, a test
system applies M random messages m0, m1, m2, . . . ,
mr . . . mM-1 to the integrated circuit in a way that the
integrated circuit calculates the transformed message by means of its
cryptographic function (which is implicit or requires the sending of an
appropriate encryption command to the integrated circuit).

[0038] As shown in FIG. 3, M current consumption curves C(m0),
C(m1), C(m2) . . . , C(mr), . . . , C(mM-1) are thus
collected. Each of these consumption curves results from operations
executed by the integrated circuit to transform the message by way of the
modular exponentiation function, but may also result from other
operations that the integrated circuit may execute at the same time.

[0039] Thanks to SPA, consumption curves Cs'(m0),
Cs'(m1), Cs'(m2) . . . , Cs'(mr), . . . ,
C2'(mM-1) are distinguished within these consumption curves.
These consumption curves correspond to execution steps of the modular
exponentiation algorithm. As indicated above, each curve of rank s'
corresponds to the "sth" execution of step 3 of the algorithm, for
one of the M messages, and involves one bit of the exponent d of which it
is desired to the determine the value.

[0040] During a processing phase, the test system estimates the
theoretical current consumption HW(dv-s, mr) of the integrated
circuit at the calculation step in question. This consumption estimation
is done for at least one of the two possible values of the searched-for
bit ds of the exponent. The test system is, for example, configured
to estimate the theoretical consumption that the execution of the
function LIM(a,m) implies, and use this for all the values mr of the
message m used during the acquisition. This theoretical consumption is
for example estimated by calculating the Hamming weight of the expected
result following the execution of the operation corresponding to the
hypothesis in question.

[0041] On the basis of the current consumption estimation, the test system
classes the consumption curves into two groups G0 and G1:

G0={curves Cs'(mr) correspond to a low consumption of the
integrated circuit at the step s in question},

G1={curves Cs'(mr') should correspond to a high consumption of
the integrated circuit at the step s in question}.

[0042] The test system then calculates the differences between the
averages of the curves of the groups G0 and G1, to obtain a resulting
curve, or statistical differential curve.

[0043] If a consumption peak appears in the statistical differential curve
at the location chosen for the current consumption estimation, the test
system deduces that the hypothesis concerning the bit dv-s value is
correct. The operation executed by the modular exponentiation algorithm
is thus here LIM(a,m). If no consumption peak appears, the average
difference does not reveal a significant consumption difference (a signal
comparable to noise is obtained), and the test system can either consider
that the complementary hypothesis is verified (dv-s=0, the executed
operation is LIM(a,a)), or else proceed in a similar manner to verify
this hypothesis.

[0044] DPA-based test processes have the drawback of being complicated to
implement and require the capture of a very high number of current
consumption curves. Moreover, hardware countermeasures exist (such as the
provision of a clock jitter, the generation of background noise, or the
like), which often require the provision of preliminary signal processing
steps (synchronization, noise reduction, and the like) on the current
consumption curves used for the acquisition. The number of current
consumption curves to acquire in order to obtain reliable results also
depends on the architecture of the integrated circuit studied, and may be
anywhere from thousands to hundreds of thousands of curves.

[0045] CPA-Based Test Processes

[0046] CPA was disclosed by E. Brier, C. Clavier, and F. Olivier.,
Correlation Power Analysis with a Leakage Model., Cryptographic Hardware
and Embedded Systems--CHES 2004, volume 3156 of Lecture Notes in Computer
Science, pages 16-29., Springer, 2004. The authors propose a linear
current consumption model that supposes that the switching of a bit from
1 to 0 consumes the same amount of current as the switching of a bit from
0 to 1. The authors further propose to calculate a correlation
coefficient between, on the one hand, the measured consumption points
that form the captured consumption curves and, on the other hand, an
estimated consumption value calculated from the linear consumption model
and from a hypothesis as to which operation the integrated circuit
executes.

[0047] FIGS. 4 and 5 show an example of CPA applied to the modular
exponentiation algorithm. In this example, the test system looks to know
whether at the sth iteration of step 3 of the modular exponentiation
algorithm, the operation executed after LIM(a,a) is again LIM(a,a) (that
is, step 3A of the following iteration s+1) or else LIM(a,m) (that is,
step 3B of the iteration of rank s).

[0048] As shown in FIG. 4, the test system acquires M current consumption
curves Cs'(mr) (Cs'(m0), Cs'(m1), . . . ,
Cs'(mr), . . . , Cs'(mM)) relating to the same
iteration of the algorithm, each corresponding to a message mr
(m0, m1 . . . mr . . . mM-1) that was sent to the
integrated circuit. Each curve Cs'(mr) includes E current
consumption points W0, W1, W2, . . . , W1, . . . ,
WE-1 forming a first subset of points. The points of a same curve
Cs'(mr) are associated with a current consumption estimation.

[0049] To this end, the current consumption HW is for example modeled as
follows:

W=k1*H(D⊕R)+k2

"R" being a reference state of the calculation register of the integrated
circuit, "D" being the value of the register at the end of the operation
in question, k1 being a proportionality coefficient, and k2 representing
the noise and/or current consumed that is not linked to H(D⊕R). The
function "H" is the Hamming distance between the values R and D of the
register, that is the number of different bits between D and R ("⊕"
designating the exclusive OR function).

[0050] According to a simplified approach, the reference value R of the
register is chosen to be equal to 0, such that the calculation of the
estimated current consumption point comes down to calculating the Hamming
weight (number of bits at 1) of the result of the operation in question.
This result is, for example, "a*m" for the hypothesis concerned. It
results that the estimated consumption point HW is equal to H(a*m). The
hypothesis about the executed operation, for example LIM(a,m), is
therefore transformed into a current consumption estimation HW calculated
by applying this linear consumption model.

[0051] As shown in FIG. 4, the test system then regroups the different
current consumption points Wk, forming each curve Cs', into
vertical transversal subsets VEk (VE0, VE1, VE2, . .
. , VEk, . . . VEE-1, each including points Wk of same
rank k of each of the curves Cs'. Each vertical transversal subset
VEk is shown by vertical dashed lines and contains a number of
points equal to the number M of curves used for the analysis.

[0052] An estimated current consumption point HWk is associated with
each point Wk of a vertical transversal subset VEk. This
estimated point corresponds to the estimation of the consumption
associated with the curve Cs'(mr) to which the point belongs,
calculated in the manner indicated above.

[0053] For each vertical transversal subset VEk, the test system then
calculates a linear vertical correlation coefficient VCk between the
points Wk of the considered subset and the estimated consumption
points HWk that are associated therewith. This correlation
coefficient is, for example, equal to the covariance between the measured
consumption points Wk of subset VEk and the estimated
consumption points HWk associated with these measured consumption
points, divided by the product of the standard deviations of these two
sets of points. Thus, a vertical correlation coefficient VCk
corresponding to the evaluated hypothesis is associated with each
vertical transversal subset VEk.

[0054] As shown in FIGS. 5A, 5B, the test system thereby obtains a set of
vertical correlation coefficients VC0, VC1, . . . , VCk, .
. . , VCE-1 forming a vertical correlation curve VCC1 that
invalidates the hypothesis or forming a vertical correlation curve VCC2
that confirms the hypothesis. The curve VCC2 presents one or more
noticeable correlation peaks (normalized covariance values close to +1 or
-1), thus indicating that the hypothesis about the operation is correct.
The curve VCC1 does not present a correlation peak. If the correlation
curve VCC2 is obtained, the test program deduces that the integrated
circuit was performing LIM(a,m) when the curves Cs'(m0) to
Cs'(mM-1) were acquired, and therefore deduces that the bit
ds of the modular exponentiation exponent is equal to 1.

Big Mac-Based Test Processes

[0055] The Big Mac analysis was disclosed in Colin D. Walter., Sliding
Windows Succumbs to Big Mac Attack., Cryptographic Hardware and Embedded
Systems--CHES 2001, volume 2162 of Lecture Notes in Computer Science,
pages 286-299., Springer, 2001; and Colin D. Walter., Longer keys may
facilitate side channel attacks., Selected Areas in Cryptography, SAC
2003, volume 3006 of Lecture Notes in Computer Science, pages 42-57.,
Springer, 2003. This analysis is based on the atomicity of the
above-mentioned large integer multiplication, that is to say the fact
that the execution of a multiplication operation of two large integers
includes the execution of a plurality of basic multiplications
xi*yj of components xi and y3 of operands x and y
subject of the multiplication.

[0056] A Big Mac-based test process includes steps of [0057] combining
consumption sub-curves corresponding to basic multiplications
xi*yi for a fixed data xi and for a variable index j, then
[0058] calculating the average value of points of these sub-curves to
obtain a resulting sub-curve that represents the properties of xi in
a more apparent manner than the properties of yj, [0059] forming a
dictionary with average sub-curves, and afterwards, and [0060]
identifying, by way of the dictionary, new sub-curves issuing from
following multiplications, to deduce therefrom the value of operands
handled by following multiplication operations.

[0061] Summary of Known Test Processes

[0062] As it has just been seen, test processes based on DPA and CPA
require the acquisition of numerous current consumption curves. Even
though CPA-based test processes are more efficient than DPA-based test
processes and generally only require between a hundred and several
hundred consumption curves as opposed to thousands to hundreds of
thousands of curves for DPA processes, the number of curves to acquire to
implement a CPA-based test process cannot be considered as negligible.

[0063] Additionally, DPA- or CPA-based test processes can be countered by
countermeasures consisting of masking the message m and/or masking the
exponent d using random words. Indeed, it has been seen that the
hypothesis concerning the consumption linked to LIM(a,m) requires the
knowledge of the message m to calculate its Hamming weight. A masking of
the message using random data no longer allows for the association of an
estimated consumption value with a measured consumption value to
calculate the weighting coefficient.

[0064] Finally, a Big Mac-based test process is tricky to implement and
requires a good knowledge of the integrated circuit architecture in order
to develop a dictionary including the models required for its
implementation. The results obtained have been considered as
unsatisfactory and the process does not seem to be the subject of known
practical applications.

BRIEF SUMMARY OF THE INVENTION

[0065] Embodiments of the invention relate to a side channel test process
applicable in particular, but not exclusively, to modular exponentiation
calculation, that is simple to implement and requires a reduced number of
curves of current consumption, or of any other physical property
representative of the integrated circuit's activity.

[0066] Embodiments of the present invention also relate to a side channel
test process applicable to an integrated circuit executing a
multiplication operation of two binary words x and y including a
plurality of basic multiplication steps of components xi by
components yj of words x and y.

[0067] Embodiments of the present invention also relate to a side channel
test process to be integrated in an industrial qualification or
certification process of integrated circuits, to verify their robustness
to side channel attacks and their resistance to information leakage.

[0068] Embodiments of the present invention also relate to countermeasures
allowing an integrated circuit to be considered as suitable for use after
a qualification or certification process including a test process
according to embodiments of the invention.

[0069] More particularly, embodiments of the invention relate to a process
for testing an integrated circuit device, including: during the execution
by the integrated circuit of a multiplication operation of two binary
words x and y having a plurality of basic multiplication steps of
components xi of the word x by components yj of the word y, collecting a
set of points of a physical property representative of the switching of
binary data by the integrated circuit; dividing the set of points of the
physical property into a plurality of subsets of lateral points, each
subset corresponding to a basic multiplication operation of a component
xi of rank i of the word x by a component yj of rank j of the word y;
forming at least one general hypothesis about a value of x and/or a value
of y; for each subset of lateral points, forming a particular hypothesis
about a value of an xi and/or of a yj linked to the general hypothesis;
for each subset of lateral points, calculating an estimation of the value
of the physical property that is a function of the particular hypothesis,
and attributing this estimation to the subset and to the points of the
subset; and applying to the subsets of lateral points a step of
horizontal transversal statistical processing using the estimations of
the value of the physical property associated with them, to determine
whether the general hypothesis is correct.

[0070] In one embodiment, the step of horizontal transversal statistical
processing includes: forming horizontal transversal subsets of points,
each including points of the same rank belonging to different subsets of
lateral points; forming a set of correlation coefficients by calculating,
for each horizontal transversal subset, a correlation coefficient
between, on the one hand, the points of subset and, on the other hand,
the particular estimations of the value of the physical property
associated with each of the points of the subset; and determining whether
the general hypothesis is correct or not as a function of the profile of
the set of correlation coefficients.

[0071] In one embodiment, determining whether the general hypothesis is
correct includes searching for at least one correlation peak in the set
of correlation coefficients.

[0072] In one embodiment, the step of horizontal transversal statistical
processing includes: classing the subsets of lateral points in first and
second groups as a function of the estimation of the value of the
physical property that is attributed to them, by allocating to the first
group the subset of points having a high estimation and to the second
group a low estimation of the physical property; calculating average
values of points of the same rank of each subset of the first group to
obtain a first subset of average points; calculating average values of
points of the same rank of each subset of points of the second group to
obtain a second subset of average points; forming a subset of
differential points including differential points equal to the difference
between points of the same rank of the first and of the second subsets of
average points; and determining whether the general hypothesis is correct
or not as a function of the profile of the subset of differential points.

[0073] In one embodiment, determining whether the general hypothesis is
correct includes searching for one or more peaks of the physical property
in the subset of differential points.

[0074] In one embodiment, calculating an estimation of the value of the
physical property for each subset of lateral points includes calculating
the Hamming weight of a data that is a function of the value of the
component xi and/or of the component yj associated with the subset of
lateral points according to the particular hypothesis linked to the
general hypothesis.

[0075] In one embodiment, the data function of the value of the component
xi and/or yj is equal to one of the following values: xi, yj, xi*yj,
α*xi+β*yj, α and β being weighting coefficients.

[0076] In one embodiment, the physical property is one of a current
consumption of the integrated circuit, a magnetic field absorption, and
an electromagnetic radiation of the integrated circuit, or a combination
thereof.

[0077] In one embodiment, the process includes rejecting the integrated
circuit if the statistical processing step allows for the verification
that the general hypothesis is correct.

[0078] In one embodiment, the process is applied to an integrated circuit
including: a processing function of external data, the execution of which
includes at one step of conditional branching to at least a first step of
multiplication of binary words or a second step of multiplication of
binary words, the step of conditional branching being a function of
private data of the integrated circuit; and a multiplication function
configured to execute the multiplication steps designated by the
conditional branching in a plurality of basic multiplication steps of
components xi by components yj of words to multiply; and the process
includes: addressing the external data to the integrated circuit;
activating, in the integrated circuit, the processing function of the
external data; collecting said set of points of a physical property
during the execution by the integrated circuit of a multiplication that
is the function of the conditional branching; forming at least one
general hypothesis about the value of the private data and the value of
binary words x, y subject to the multiplication, in relation with the
value of the private data; dividing the set of points into a plurality of
subsets of lateral points, each subset corresponding to a basic
multiplication operation of a component xi of rank i of word x by a
component yj of rank j of word y; for each subset of lateral points,
forming a particular hypothesis about a value of an xi and/or of a yj
linked to the general hypothesis; for each subset of lateral points,
calculating an estimation of the value of the physical property that is a
function of the particular hypothesis, and attributing this estimation to
the subset and to the points of the subset; and applying to the subsets
of lateral points a step of horizontal transversal statistical processing
by using the estimations of the value of the physical property associated
with them, to determine whether the general hypothesis about the value of
the private data is correct.

[0079] In one embodiment, the process includes rejecting the integrated
circuit as unable to conserve the private data if the statistical
processing step allows for the verification that the general hypothesis
is correct.

[0080] In one embodiment, the process is applied to an integrated circuit
wherein the data processing function is a modular exponentiation
function, the private data being an exponent of the modular
exponentiation function.

[0081] In one embodiment, the process is applied to an integrated circuit
wherein the data processing function is a cryptographic function
including a modular exponentiation function, the private data being an
exponent of the modular exponentiation function forming a private key of
the cryptographic function.

[0082] Embodiments of the invention also relates to a system for testing
an integrated circuit, including: an execution component configured to
cause the integrated circuit to execute a multiplication operation of two
binary words x and y including a plurality of basic multiplication steps
of components xi of the word x by components yj of the word y; a
measuring component configured to measure and collect, during the
execution of the multiplication operation, a set of points of a physical
property representative of the switching of binary data by the integrated
circuit; and a data processor, configured to: divide the set of points of
the physical property into a plurality of subsets of lateral points, each
subset corresponding to a basic multiplication operation of a component
xi of rank i of the word x by a component yj of rank j of the word y;
forming at least one general hypothesis about a value of x and/or a value
of y; for each subset of lateral points, forming at least one particular
hypothesis about a value of an xi and/or of a yj linked to the general
hypothesis; for each subset of lateral points, calculating an estimation
of the value of the physical property that is a function of the
particular hypothesis, and attributing this estimation to the subset of
lateral points and to the points of the subset; and applying to the
subset of lateral points a step of horizontal transversal statistical
processing by using the estimations of the value of the physical property
that they are attributed to the lateral points, to determine whether the
general hypothesis is correct.

[0083] In one embodiment, the system is configured to reject the
integrated circuit if the statistical processing step allows for the
verification that the general hypothesis is correct.

[0084] In one embodiment, the measuring component is configured to measure
one of a current consumption of the integrated circuit, a magnetic field
absorption, and an electromagnetic radiation of the integrated circuit,
or a combination thereof.

BRIEF DESCRIPTION OF THE SEVERAL VIEWS OF THE DRAWINGS

[0085] The foregoing summary, as well as the following detailed
description of the invention, will be better understood when read in
conjunction with the appended drawings. For the purpose of illustrating
the invention, there are shown in the drawings embodiments which are
presently preferred. It should be understood, however, that the invention
is not limited to the precise arrangements and instrumentalities shown.

[0086] Embodiments of a test process according to the invention and
corresponding countermeasures will be described in a non-limiting manner
in the following, in relation with the appended drawings in which:

[0094] FIG. 7 schematically shows an embodiment of a test system according
to the invention;

[0095] FIG. 8 shows a current consumption curve including current
consumption sub-curves used by the test system of FIG. 7 to implement the
process according to embodiments of the invention;

[0096] FIG. 9 is a more-detailed view of current consumption sub-curves
and shows a step of the process according to an embodiment of the
invention;

[0097] FIG. 10 is a table of estimated values of a physical property
associated with points of the sub-curves of FIG. 9;

[0098] FIGS. 11A and 11B schematically show two correlation curves
generated by an embodiment of the test process according to the
invention;

[0099] FIGS. 12A, 12B and 12C respectively show two average curves and a
correlation curve generated by another embodiment of the test process
according to the invention;

[0100] FIG. 13 schematically shows a multiplier circuit designed to
execute a multiplication algorithm according to an embodiment of the
invention; and

[0101] FIG. 14 shows a secured integrated circuit architecture including
countermeasure according to an embodiment of the invention.

DETAILED DESCRIPTION OF THE INVENTION

[0102] General Features of a Test Process According to Embodiments of the
Invention

[0103] Embodiments of a test process according to the invention are based
on a detailed examination of the current consumption of an integrated
circuit during the execution of steps 3A and 3B of the above-described
exponentiation algorithm, and more particularly, the observation of its
current consumption during the execution of the LIM multiplication during
each of these steps 3A and 3B.

[0104] Embodiments of a test process according to the invention are based
on the fact that in practice, the multiplications of large integers
LIM(a,a) and LIM(a,m) are not done in a single step due to the size of
binary words accepted by the unit that performs these multiplications.
The unit that executes the multiplication is, for example, the
arithmetical and logical unit of the microprocessor, a coprocessor, or an
arithmetic accelerator. The reduced size of the calculation unit requires
a calculation algorithm LIM(x,y) that "splits" the large integers x and y
into 1 components of smaller size, such that:

x=(xl-1 xl-2 . . . x0)b

y=(yl-1 yl-2 . . . y0)b

xl-1, xl-2 . . . x0 and yl-1, yl-2 . . . y0 being components of operands
x and y in base "b", each component including N bits, and the base b
being equal to 2N, for example b=232 for a calculation unit accepting
operands of N=32 bits.

[0105] This splitting of operands into 1 equal parts is such that the
multiplication includes 12 basic multiplication operations if the
multiplication is done according to the usual method. Table 1 below gives
the relation between the size G of operands x and y, the size N of their
components xi, yj, the number 1 of components xi, yj to form an operand,
and the number 12 of basic multiplications xi*yj that the execution of
the LIM function includes, for typical examples of integrated circuit
architectures.

[0106] Thus, each basic multiplication operation xi*yi executed
by the multiplication algorithm LIM corresponds to a current consumption
sub-curve Ci,j, and these sub-curves together form the current
consumption curve of step 3A or of step 3B of the exponentiation
algorithm.

[0107] A test process according to embodiments of the invention includes
horizontal transversal statistical processing steps to such sub-curves,
in order to verify a hypothesis concerning the variables that are the
subject of the multiplication, and thus to verify a hypothesis concerning
a conditional branching leading to the execution of the multiplication
operation with these variables. The process only requires the acquisition
of a single consumption curve by sending a single message m to an
integrated circuit.

[0108] Example of Implementation of the Test Process

[0109] Embodiments of the test process that will be described in the
following aim to determine the secret exponent used by an integrated
circuit during a modular exponentiation calculation. The integrated
circuit is, for example, the conventional integrated circuit CIC1
described above in relation with FIG. 1. The modular exponentiation
calculation is, for example, executed according to the following
algorithm, already described above:

[0110] As indicated above, finding a bit of the exponent d requires
determining whether step 3 of the algorithm only includes step 3A or, on
the contrary, includes step 3A followed by step 3B. Starting with the
first iteration of step 3 (s=1) until the last (s=v), a test process
according to embodiments of the invention allows for the determination,
with a single current consumption curve, of whether the operation
executed by the microprocessor or the coprocessor is of the LIM(a,a) type
or of the LIM(a,m) type by basing itself on the consumption sub-curves
corresponding to basic multiplications intervening in the execution of
the LIM multiplication.

[0111] It will also be assumed in the following, still as an
implementation example of the process, that the multiplication operation
LIM intervening in the execution of the modular exponentiation algorithm
is executed according to the scholar method, that is to say the most
commonly used method to multiply large integers. The scholar method is,
for example, implemented by way of the following algorithm:

[0113] Thus, the l2 iterative calculation steps involving components
xi, yj of the large integers x, y, allows 2l intermediate
results R2l-1, R2l-2, . . . R0 of N bits to be obtained.
These are concatenated in an output register to form the final result of
the multiplication of x by y.

[0114] To get a better idea, FIG. 6 shows an example of multiplier
hardware SMT1 provided to perform the multiplication of two operands x
and y according to the algorithm above. The multiplier architecture is on
the model of the algorithm and the multiplier SMT1 thus includes: input
buffers BX, BY receiving operands x and y of G bits; an output buffer BR
supplying the result R; a multiplier MULT with two N-bit inputs and a
2N-bit output; an adder AD having a 2N-bit input, two N-bit inputs, and a
2N-bit output; a 2N-bit output register including two concatenated
registers Ru and Rv of N bits each to receive the intermediary variables
u and v of the algorithm; and a register Rc to receive the carry c of the
algorithm. A sequencer SM1, for example a state machine, supplies control
signals t1, t2, . . . , t9, t10, . . . tn to these various elements, and
is configured to execute the algorithm upon reception of a command STM
("Start Multiplication").

[0115] The buffer BX includes l registers of N bits, each receiving one of
the components xl-1, xl-2, . . . , x0 of X. The buffer BY includes l
registers of N bits, each receiving one of the components yl-1, yl-2, . .
. , y0 of y. The output buffer BR includes 2l registers of N bits, each
receiving one of the components R2l-1, R2l-2, . . . , R0 of the result of
the multiplication of x by y. Multiplexers MX1, MX2 controlled by the
sequencer SM1 allow for the application of one of the components xi upon
one input of the multiplier and one of the components yj on the other
input of the multiplier, which supplies the result xi*yj on 2N bits. The
2N-bit output of the multiplier MULT is linked to the 2N-bit input of the
adder AD. N first bits of the 2N-bit output of the adder AD are applied
to the input of the register Ru and the N other bits are applied to the
input of the register Rv. The output of the register Rv is applied to the
input of one of the registers Ri+j of the buffer BR by the intermediary
of a demultiplexer DMX controlled by the sequencer SM1. The output of one
of the registers Ri+j of the buffer BR is applied on an N-bit input of
the adder by the intermediary of a multiplexer MX3 controlled by the
sequencer SM1. The other N-bit input of the adder is linked to the output
of the register Rc, the input of which is liked to the output of the
register Ru. The sequencer SM1 controls the writing and the reading of
these various registers for the execution of the algorithm.

[0116] Before the application of the command STM, the data to multiply "a
and a" or "a and m" are saved in the buffers BX and BY as operands x and
y, depending on whether the operation to be executed is LIM(a,a) or
LIM(a,m). In the first case, registers xi of buffer BX receive components
al-1, al-2, . . . , a0 of a and registers yj of buffer BY receive the
same components. In the second case, registers xi of buffer BX receive
the components al-1, al-2, . . . , a0 of a and registers yj of buffer BY
receive the components ml-1, ml-2, . . . , m0 of m.

[0117] Acquisition of Current Consumption Sub-Curves

[0118] FIG. 7 shows an example of an integrated circuit test system
provided to implement the test process according to embodiments of the
invention. It will be assumed, as an example, that the test system is
configured to test the contactless integrated circuit CIC1 of FIG. 1.

[0119] The test system includes: a chip card reader RD, here a contactless
reader; a measuring probe PB linked to a measuring device MD, such as a
digital oscilloscope, to acquire the consumption curves of the integrated
circuit; and a calculation component, such as a personal computer PC. The
computer is linked to the measuring device and to the card reader RD and
implements a test program. This test program includes, in particular, a
program for communicating with the integrated circuit and to send
messages thereto, a signal processing program, and a program for
implementing calculation steps of the process according to the invention.

[0120] The probe PB may be a current probe (for example, a resistance
placed on the supply terminal Vcc of the integrated circuit), or an
electromagnetic probe linked to the measuring device by a signal
amplifier AMP. Alternatively, a current probe can be combined with an
electromagnetic probe. The study of electromagnetic radiation
Electromagnetic Analysis (EMA) has shown that an electromagnetic
radiation emitted by a functioning integrated circuit gives information
about the switching of bits in the integrated circuit, similar to the
measurement of current consumed. The advantage of an electromagnetic
probe is that it may be placed near the part of the circuit of which it
is desired to analyze the functioning (for example, near the core of the
microprocessor or of the cryptographic calculations coprocessor).

[0121] In addition, in the case of a contactless integrated circuit, the
current probe can be replaced by an inductive probe that measures the
absorption, by the integrated circuit, of the magnetic field emitted by
the reader. Such an inductive probe, for example an antenna coil, can
itself be combined with an electromagnetic field probe placed near parts
of the circuit to be studied.

[0122] Thus, in the present application, the term "current consumption" is
used merely for the sake of simplicity, and designates any measurable
physical property the variations of which are representative of binary
data switching within the integrated circuit or within the part of the
integrated circuit studied. The physical property may be measured at
terminals of the integrated circuit or near the studied part of the
integrated circuit.

[0123] The sampling frequency of the physical property must however be
sufficiently high to collect several points per sub-curve, for example
between 3 and 100 points per sub-curve in practice. However, it may be
provided to collect up to several thousand points per sub-curve.

[0124] As shown in FIG. 8, a precise analysis of the current consumption
curve Cs during the execution of each iteration of step 3 of the
exponentiation algorithm reveals current consumption sub-curves Ci,j,
each corresponding to the execution of step 3A or of step 3B of the
algorithm LIM. The identification of the group of sub-curves within the
general current consumption curve is done by, as a first step, performing
a conventional SPA. The first identification is done manually during a
development phase of the test program. The subsequent identifications may
be automated by supplying a temporal marking point for the marking of
sub-curves to the test program.

[0125] Once this first step has been completed, the test program has the
following sub-curves:

[0126] The test program thus has P sub-curves C0,0 to Cl-1,l-1 (Cf. table
1). The test program then applies a DPA or CPA analysis to this set of
sub-curves, to determine whether the operation performed by the algorithm
is of the type ai*aj or of the type ai*mj.

[0127] The test process according to the invention may therefore be
qualified as "horizontal", in contrast with conventional DPA- or
CPA-based test processes that require a superposition of current
consumption curves and may therefore be qualified as "vertical".

[0130] The sub-curves Ci,j are used to determine whether the modular
exponentiation algorithm requested that the multiplication algorithm
execute the operation a*a or the operation a*m, which will results, at
the level of the multiplication algorithm, in the execution of l2
operations ai*aj or of l2 operations ai*mj.

[0131] Indeed, if the algorithm LIM is called by step 3A of the
exponentiation algorithm, the inputs of the algorithm are:

x=a=(al-1 al-2 . . . a0)b

y=a=(al-1 al-2 . . . a0)b

and step 2 of the algorithm LIM thus includes the following calculation:

--for j from 0 to l-1 do:

u|v(Ri+j+aj*ai)+c

[0132] If however the algorithm LIM is called at step 3B of the
exponentiation algorithm, the inputs of the algorithm are:

x=a=(al-1 al-2 . . . a0)b

y=m=(ml-1 ml-2 . . . m0)b

and step 2 of the algorithm LIM thus includes the following calculation:

--for j from 0 to l-1 do:

u|v(Ri+j+aj*mi)+c

[0133] Each sub-curve Ci,j is formed by P current consumption points
W0,i,j, W1,i,j, W2,i,j, . . . , Wk,i,j, . . . , WP-1,i,j and forms a
subset of points. It will be noted that the points considered here are
those that will be used in the correlation calculation that follows.
Indeed, in practice, according to the sampling frequency with which the
current consumption points are captured, each sub-curve could include a
greater number of points than those used for the calculations.

[0134] The test program associates the points of a same sub-curve Ci,j
with at least one hypothesis concerning the operation executed by the
integrated circuit. This hypothesis is chosen among two possible
hypotheses, the first being that the integrated circuit calculates ai*aj
and the second that the integrated circuit calculates ai*mj.

[0135] Following the principles of CPA reviewed above, the test program
then uses a linear current consumption model to transform a hypothesis
about the operation executed by the integrated circuit into a
corresponding estimated current consumption value, or "correlation
model". According to a simplified approach, the test program can be
configured to determine the estimated current consumption value by
calculating the Hamming weight (number of bits at 1) of the most
significant variable of the considered operation, or of a combination of
most significant variables.

[0136] It is assumed, as an example, that the test program tries to verify
the hypothesis ai*mj. The value HWi,j of current consumption estimated
for this hypothesis is thus calculated using the following relation:

HWi,j=H(mj)

[0137] Other variations of this model may be provided, for example:

HWi,j=H(ai*mj)

[0138] A more complex model may also be used, such as:

HWi,j=H(α*ai+β*mj)

where α and β are weighting coefficients to be set as a
function of the microprocessor or of the coprocessor that executes the
multiplication, after a characterization thereof.

[0139] It may be noted that the model HWi,j=H(ai) cannot be used to verify
the hypothesis ai*mj because the term ai is present in the two hypotheses
ai*aj and ai*mj and is therefore not a valid discriminant.

[0140] It will clearly appear to the skilled person that any other
statistically valid model can be used to estimate the electric
consumption. In particular, more complex models may be used wherein the
value of the calculation register of the integrated circuit is not
considered as constant but rather dependant upon preceding operations and
on the structure of the circuit.

[0141] It may also be noted that the test program is able to calculate, on
the basis of the model supplied thereto, the estimated consumption values
HWi,j because all the components ai of the variable a and all the
components mj of the message m are known. The value of the variable a is
deduced from preceding iterations for which the test program has
discovered the exponent d bit values, or is equal to 1 if it is the first
iteration of the modular exponentiation algorithm. The value of m is
known because the message was generated and sent by the test program.

[0142] Then, as shown in FIG. 9, the test program defines horizontal
transversal subsets of points HEk (HE0, HE1, HE2, . . . , HEk, . . . ,
HEP-1), each including points Wk,i,j of the same rank k taken from each
of the sub-curves Ci,j. Each horizontal transversal subset HEk is shown
in FIG. 9 by dashed lines and thus contains a number of points equal to
the number 12 of basic multiplication operations ai*mj.

[0143] An estimated current consumption point HWi,j is then associated
with each point Wk,i,j of a horizontal transversal subset HEk. This
estimated point corresponds to the hypothesis concerning the estimated
consumption in relation with the curve Ci,j to which the point belongs,
and is calculated in the same manner as indicated above.

[0144] Then, for each horizontal transversal subset HEk, the test program
calculates a horizontal correlation coefficient HCk between points Wk,i,j
of the considered subset and the estimated consumption points HWi,j with
which they are associated. The correlation coefficient HCk is, for
example, calculated using the following relation:

that is to say the covariance between the points Wk,i,j and the points
HWi,j, normalized by the product of their standard deviations
σ(Wk,i,j) and σ(HWi,j), HCk thus being between -1 and +1.

[0145] Therefore, as shown by table 2 below (also shown in FIG. 10), a
horizontal correlation coefficient HCk corresponding to the hypothesis to
be verified is associated with each horizontal transversal subset HEk.

[0147] The confirmation of the studied hypothesis includes for example the
search, by the test program, for at least one correlation peak. The
search for this correlation peak includes the search for at least one
correlation coefficient of which the absolute value is included between a
minimum correlation value HCmin and 1. The minimum correlation value is
chosen to be sufficiently close to 1 so that a correlation exists.

[0148] If the hypothesis according to which the executed operation is
ai*mj is confirmed by correlation peaks, the test program deduces that
the integrated circuit was performing the operation ai*mj when the
sub-curves C0,0 to Cl-1,l-1 of the curve Cs' were captured, and that the
bit ds of the modular exponentiation exponent is 1 (the relation between
s' and s was indicated above).

[0149] It may be noted that the fact that the correlation curve HCC1
corresponding to the correct hypothesis does not present correlation
peaks for each measured consumption point signifies that some consumption
points are not linked to the execution of the studied operation but are
rather linked to another activity conducted by the integrated circuit at
the same time as execution of the algorithm.

[0150] In addition, the test program can be configured to also analyze the
complementary hypothesis, that is ai*aj, in particular if the first
hypothesis turns out to be incorrect, and thus searches for at least one
correlation peak to decide whether this other hypothesis is correct or
not.

[0151] Alternatively, the test program can be configured to consider that
the complementary hypothesis is correct if the first hypothesis is not
confirmed by the correlation curve. It turns out that after a period of
test program development and of current consumption best estimator
search, the test program becomes reliable such that it is no longer
necessary to verify the two hypotheses.

[0152] In one embodiment, the hypothesis a*m can also be verified several
times by the test program by using several correlation models such as
H(mj) and H(ai*mj).

[0153] In another embodiment, the verification that the hypothesis a*m is
correct for a sub-curve Cs' of rank s' can be done by referring to points
of the following sub-curve Cs'+1. Due to the structure of the modular
exponentiation algorithm, the result of the previous iteration is
included in the variable a of the following iteration. In this case, and
contrary to what has been indicated above, the term ai can be a valid
discriminant for the estimation of the current consumption.

[0154] Implementation of the Test Process Based on DPA

[0155] The l2 horizontal consumption sub-curves Ci,j also allow for
the implementation of the test process by way of a DPA-type technique.

[0156] The analysis requires an acquisition step and a processing step.
The acquisition step only includes the acquisition of a single
consumption curve Cs', including the sub-curves Ci,j. It is to be noted
that this acquisition could, in certain cases, be combined with a
vertical acquisition, requiring the sending of several messages to the
integrated circuit. Nevertheless, due to the large number of sub-curves
offered by the process according to the invention (Cf. table 1 above),
the number of vertical acquisitions is low compared with the number of
vertical acquisitions required by conventional DPA or CPA.

[0157] Therefore, the test program carries out DPA processing steps on a
single curve Cs' (FIG. 9), by considering the horizontal sub-curves Ci,j
of curve Cs' as independent curves that need to be classed.

[0158] The test program estimates the consumption of each calculation step
corresponding to each sub-curve by using a consumption model similar to
that used for the CPA-based implementation described above. More
particularly, a sub-curve sorting function f(ai,mj) is used by the test
program, for example:

f(ai,mj)=Hamming weight of one or more bits of mj, or

f(ai,mj)=Hamming weight of one or more bits of ai*mj, or

f(ai,mj)=Hamming weight of one or more bits of ai and of one or more
bits of mj.

[0159] The test program then classes the measured consumption sub-curves
Ci,j into two groups G0 and G1, for the hypothesis considered:

--G0={sub-curves Ci,j that should correspond to a low consumption of the
integrated circuit at the step ai*mj considered},

--G1={sub-curves Ci,j that should correspond to a high consumption of
the integrated circuit at the step ai*mj considered}.

[0160] For example, as shown in FIG. 9, the sub-curves C0,0 and Cl-1,l-1
shown are classed in the group G0 whereas the sub-curve C0,1 is classed
in the group G1.

[0161] The test program then calculates:

[0162] a first average curve M0 (schematically shown in FIG. 12A) of which
each point M0Wk of rank k (M0W0, M0W1, . . . , M0Wk, . . . , M0WP-1) is
equal to the average of points Wk,i,j of the same rank k of all the
sub-curves Ci,j of the group G0,

[0163] a second average curve M1 (schematically shown in FIG. 12B) of
which each point M1Wk of rank k (M1W0, M1W1, . . . , M1Wk, . . . ,
M1WP-1) is equal to the average of points Wk,i,j of the same rank k of
all the sub-curves Ci,j of the group G1, and

[0164] a statistical differential curve DM, or average difference curve,
(schematically shown in FIG. 12C) of which each point DWk of rank k (DW0,
DW1, . . . , DWk, . . . , DWP-1) is equal to the difference of points
MOWk and M1Wk of the same rank k of average curves M0 and M1.

[0165] If one or several current consumption peaks appear in the
statistical differential curve DM at the location chosen for the current
consumption estimation, the test program deduces that the hypothesis
about the exponent bit value is correct. Therefore, the operation
executed by the modular exponentiation algorithm is LIM(a,m). If no
consumption peak appears, the test program can consider that the
complementary hypothesis is verified (dv-s=0) and that the operation
executed is LIM(a,a), or proceed in a similar manner to verify the
complementary hypothesis.

[0166] The test program's search for a consumption peak, which is
equivalent to the search for a correlation peak with the embodiment based
on CPA, includes, for example, the search for differential consumption
points DWk with a value greater than or equal to a minimum consumption
value DWmin.

[0167] Other Applications of Embodiments of the Invention

[0168] It will clearly appear to the skilled person that embodiments of
the test process according to the invention may be applied to the testing
of integrated circuits implementing various types of algorithms
(cryptographic or not, modular exponentiation or not), if such algorithms
include a conditional branching leading to the execution of
multiplication operations based upon different operands.

[0169] Fundamentally, embodiments of the invention may be applied to the
testing of integrated circuits implementing any type of multiplication
algorithm including a plurality of basic multiplications xi*yj, such as
COMBA or KARATSUBA multiplications, in relation with a higher-level
algorithm calling the multiplication algorithm by the intermediary of a
conditional branching. Embodiments of the invention may also be applied
to the testing of integrated circuits using a modular multiplication
function including a reduction function, such as for example the
Montgomery function, the Quisquater function, or Sedlak's ZDN
multiplication, which also include a plurality of basic multiplications
xi*yj.

[0170] In all these applications, the invention allows for the evaluation
of hypotheses about the conditional branching, in order to deduce a
secret data upon which the conditional branching depends, and the
realization of test systems for the qualification or the certification of
integrated circuits. The integrated circuits are rejected as incapable of
conserving a secret if the secret can be discovered by the test system.

[0171] Effectiveness of Conventional Countermeasures

[0172] So that integrated circuits can successfully complete conventional
qualification or certification processes, integrated circuit designers
generally provide countermeasures thereinto, the most common of which are
the following:

i) Randomization of the exponent d:

[0173] The exponent d is replaced by a random exponent d' such as:

d'=d+K

with K a multiple of the order of the multiplicative group wherein the
calculations are performed.

[0174] For example, in the case of the RSA algorithm K=k*φ(n), with k
a random number and φ Euler's function, such as φ(n)=(p-1)*(q-1),
p and q being integers such that p*q=1.

ii) Additive randomization of the message m and of the exponentiation
module n:

[0175] The received message m is transformed into a message m* such that:

m*=m+r1*n modulo r2*n

that is:

m=m+u*n

with u=r1 modulo r2, r1, r2 being random numbers that are different for
each new cryptographic calculation cycle. iii) Multiplicative
randomization of the message m:

[0176] The received message m is transformed into a message m* such that:

m*=re*m modulo m

with r a random number and e a public exponent.

[0177] It appears that countermeasure i) is ineffective upon the test
process according to embodiments of the invention, and merely allows
vertical DPA and CPA to be countered. The test process according to the
invention only requires a single consumption curve and allows for the
discovery of an exponent d'. The exponent d', even though it is derived
from the initial exponent d, can be used as a secret key to execute the
modular exponentiation, the same as the initial exponent.

[0178] Concerning countermeasures ii) and iii), it equally appears that
the test process according to embodiments of the invention allows, by
introducing hypotheses about the value of the randomized message into the
hypothesis, to breach such countermeasures. This is due to the fact that
it is based on the horizontal transversal statistical processing of a
single consumption curve related to a single message instead of on a
statistical vertical transversal processing based on several consumption
curves related to several messages. These countermeasures multiply the
number of hypotheses to treat and slow down the execution of the process
of the invention but do not prevent the determination of which operation
is executed by the integrated circuit, unless the number of hypotheses to
treat is too large.

[0179] Appropriate Countermeasures

[0180] Embodiments of the invention relate to the provision of a
countermeasure allowing an integrated circuit to be considered as able to
be used after a qualification or certification test including the process
of embodiments of the invention.

[0181] It is proposed here to protect a multiplication algorithm against a
horizontal analysis according to embodiments of the invention by
randomizing the execution order of basic multiplications xi*yj. This
randomization includes either the randomization of the processing order
of xi while conserving the processing order of yj for each xi chosen
(partial randomization), or else the randomization of the processing
order of xi and of the processing order of yj (complete randomization).

[0182] As an example of partial randomization, the following
multiplication sequence:

xi*y0-xi*y1-xi*y3-xi*y4 . . . xi*yl-1

becomes for example (randomly):

xi*y15 xi*y5 xi*y18 xi*yl-1 . . . xi*y2

[0183] If the randomization is complete, all the multiplication sequences
xi*yj are executed in any order.

[0184] Example of a randomized LIM algorithm with partial randomization

[0185] Such a randomized LIM algorithm may be executed by software or by a
hardware circuit.

[0186] Such a randomization can, in addition, be combined with an additive
or subtractive masking of components xi, of components yj, or of both,
consisting in combining by addition or by subtraction the component xi
and/or the component yj with a random or pseudo-random number R' or with
two random or pseudo-random numbers R', R''. In this case, the
multiplication step xi*yj in the algorithm above becomes for example:

u|v(Ri+j+(xi-R')*yj)+c+yj*R'

[0187] Another example using two random numbers R' and R'':

u|v(Ri+j+(xi-R')*(yj-R'')+c+yj*R'xi*R''+yj*R'+R'*R''

[0188] FIG. 13 shows a randomized multiplier hardware SMT2 which differs
from the multiplier SMT1 described in relation with FIG. 6 in that it
includes a sequencer SM2 (state machine, micro-programmed sequencer, . .
. ) configured to execute the multiplication algorithm in the manner that
has just been described. That is, by randomizing the processing order of
components xi or by randomizing the processing order of components xi and
the processing order of components yj, with an optional additive or
subtractive randomization of these components.

[0189] The permutation vector α is here a random word RDM that is
supplied to the multiplier SMT2 by an external random or pseudo-random
word generator RGEN, but could also be generated internally by the
multiplier SMT2. One or more other random words can be supplied to the
multiplier or generated by it if the randomization option of components
xi, yj is kept.

[0190] In one embodiment, the sequencer SM2 is configured to offer two
functioning modes: a conventional functioning mode where it executes the
multiplication in a conventional manner, and a functioning mode
randomized according to the invention. The functioning mode is selected
by means of a configuration signal MODE applied to the multiplier, as
shown in FIG. 13, or by way of a flag MODE programmed in a configuration
register of the multiplier.

[0191] FIG. 14 shows an integrated circuit CIC2 arranged on a portable
support HD such as a plastic card, and equipped with countermeasure means
according to the invention. The integrated circuit includes the same
units as the integrated circuit CIC1 described above in relation with
FIG. 1, and differs therefrom in that the coprocessor CP1 is replaced by
a coprocessor CP2 including the randomized multiplier SMT2 of FIG. 13. In
another embodiment, the coprocessor CP1 only includes the randomized
multiplier SMT2, and is not designed to perform the randomized
multiplication (arithmetic accelerator). In other embodiments, the
coprocessor CP1 may include a component configured to completely execute
the modular exponentiation function, including the randomized
multiplication, or even a component configured to completely execute a
cryptographic function including the modular exponentiation function. In
yet another embodiment, the randomized multiplication according to the
invention is executed by the microprocessor MP.

[0192] It will be noted that in the present description and the claims,
the terms "random" or "pseudo-random" designate a number that is not
known by the evaluator or by the test process and is not predictable for
a person that does not know the secrets of the integrated circuit. In
particular, a number is considered as "random" or "pseudo-random" in the
sense of the present application if it is generated by a deterministic
function (and therefore non random by nature) which uses a secret
parameter to generate this number.

[0193] It will be appreciated by those skilled in the art that changes
could be made to the embodiments described above without departing from
the broad inventive concept thereof. It is understood, therefore, that
this invention is not limited to the particular embodiments disclosed,
but it is intended to cover modifications within the spirit and scope of
the present invention as defined by the appended claims.